Professional Documents
Culture Documents
CGS09 Hipaa
CGS09 Hipaa
Page 1 of 4
Copyright, 2010, Cross Country University.
Compliance
Using and disclosing protected health information
Without a signed or verbal authorization from the patient, Protected Health Information (PHI)
can be used and disclosed ONLY:
When providing PHI, use the Minimum Necessary Rule. That is, provide only the least amount
of information that is needed.
This Minimum Necessary Rule does NOT apply to:
Information shared with other health care providers for treatment purposes;
healthcare providers may require the entire record for treatment
Information requested by the individual
Information required by law
Page 2 of 4
Copyright, 2010, Cross Country University.
To
To
To
To
A detailed description of how the information may be used for treatment, payment,
and healthcare operations
A description of circumstances in which protected health information may be disclosed
without the individual's written permission
A statement that other uses and disclosures will only be made with written
authorization from the individual, and that the authorization can be withdrawn
A statement of the individual's rights with respect to protected health information, as
well as an explanation of how the individual can exercise those rights.
A statement that the organization is required by law to maintain the privacy of
protected health information and to provide individuals with notice of its legal duties
and privacy practices with respect to protected health information
A statement that individuals have the right to complain to the organization and to the
Secretary of Health and Human Services (HHS) or any officer or employee of HHS to
whom the authority involved has been delegated if they believe their privacy rights
have been violated
A brief description as to how the complaint may be filed
Page 3 of 4
Copyright, 2010, Cross Country University.
A statement that there will be no retaliation towards the individual for filing a
complaint
The name, title, and telephone number of the person or office to contact for further
information. It must also contain the effective date of the notice
Rights of patients
HIPAA allows individuals certain rights as to how their Personal Health Information is used and
accessed.
Individuals have the right to restrict the use and disclosure of their information.
They can request that information be restricted in some manner when disclosed to others for
the purpose of treatment, payment, or healthcare operations.
However, the health care organization, or other covered entity, does have the right to not
agree to this restriction.
Example: The patient could request that the organization not share his diagnosis with his
health insurance agency. Since this would affect the way in which the organization will be
reimbursed for services, the organization does not have to agree to this.
Individuals have the right to access their own Personal Health Information
Individuals have the right to inspect and receive a copy of their PHI with the exceptions of
psychotherapy notes and information that has been gathered in anticipation of civil, criminal,
or administrative action.
Individuals have the right to amend their Personal Health Information
Individuals can request that the organization change any PHI that it maintains in record sets.
The organization can require that these requests for change be in writing and that the
individual explain the reason for the change.
Individuals have a right to have an account of access to their PHI
Individuals have a right to know the identities of those persons or agencies (Including
Business Associates) that have accessed their PHI for 6 years PRIOR to the request.
Page 4 of 4
Copyright, 2010, Cross Country University.